A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk - - PowerPoint PPT Presentation

A New RSA-Based Signature Scheme

Sven Sch¨ age, J¨

• rg Schwenk

Horst G¨

• rtz Institute for IT-Security

Africacrypt 2010

1 / 13

RSA-Based Signature Schemes

Na¨ ıve RSA signature scheme not secure under the standard definition of security – adaptive chosen message attacks [GMR99].

2 / 13

RSA-Based Signature Schemes

Na¨ ıve RSA signature scheme not secure under the standard definition of security – adaptive chosen message attacks [GMR99]. RSA assumption is weaker than popular Strong RSA (SRSA)

• assumption. In contrast to SRSA: adversary is not allowed to

choose from an exponentially large set of solutions.

2 / 13

RSA-Based Signature Schemes

Na¨ ıve RSA signature scheme not secure under the standard definition of security – adaptive chosen message attacks [GMR99]. RSA assumption is weaker than popular Strong RSA (SRSA)

• assumption. In contrast to SRSA: adversary is not allowed to

choose from an exponentially large set of solutions. Only recently, in CRYPTO’09, Hohenberger and Waters (HW) presented the first hash-and-sign signature scheme that is solely secure under the RSA assumption.

2 / 13

RSA-Based Signature Schemes

Na¨ ıve RSA signature scheme not secure under the standard definition of security – adaptive chosen message attacks [GMR99]. RSA assumption is weaker than popular Strong RSA (SRSA)

• assumption. In contrast to SRSA: adversary is not allowed to

choose from an exponentially large set of solutions. Only recently, in CRYPTO’09, Hohenberger and Waters (HW) presented the first hash-and-sign signature scheme that is solely secure under the RSA assumption. In this work: alternative RSA-based signature scheme with additional properties that are useful in privacy preserving systems.

2 / 13

Observations

A single HW signature can be interpreted as a combination of several Gennaro-Halevi-Rabin signatures. (Observation 1)

3 / 13

Observations

A single HW signature can be interpreted as a combination of several Gennaro-Halevi-Rabin signatures. (Observation 1) The SRSA-based Camenisch-Lysyanskaya (CL) scheme has proven very useful in many privacy preserving systems. Popular examples: Direct Anonymous Attestation (DAA), compact E-Cash. (Observation 2)

3 / 13

Observations

A single HW signature can be interpreted as a combination of several Gennaro-Halevi-Rabin signatures. (Observation 1) The SRSA-based Camenisch-Lysyanskaya (CL) scheme has proven very useful in many privacy preserving systems. Popular examples: Direct Anonymous Attestation (DAA), compact E-Cash. (Observation 2) Three useful properties of CL scheme:

3 / 13

Observations

A single HW signature can be interpreted as a combination of several Gennaro-Halevi-Rabin signatures. (Observation 1) The SRSA-based Camenisch-Lysyanskaya (CL) scheme has proven very useful in many privacy preserving systems. Popular examples: Direct Anonymous Attestation (DAA), compact E-Cash. (Observation 2) Three useful properties of CL scheme:

1

Signature scheme supports signing several message blocks.

3 / 13

Observations

A single HW signature can be interpreted as a combination of several Gennaro-Halevi-Rabin signatures. (Observation 1) The SRSA-based Camenisch-Lysyanskaya (CL) scheme has proven very useful in many privacy preserving systems. Popular examples: Direct Anonymous Attestation (DAA), compact E-Cash. (Observation 2) Three useful properties of CL scheme:

1

Signature scheme supports signing several message blocks.

2

There exist efficient (NIZK) protocols (in the ROM) to sign commited values.

3 / 13

Observations

A single HW signature can be interpreted as a combination of several Gennaro-Halevi-Rabin signatures. (Observation 1) The SRSA-based Camenisch-Lysyanskaya (CL) scheme has proven very useful in many privacy preserving systems. Popular examples: Direct Anonymous Attestation (DAA), compact E-Cash. (Observation 2) Three useful properties of CL scheme:

1

Signature scheme supports signing several message blocks.

2

There exist efficient (NIZK) protocols (in the ROM) to sign commited values.

3

There exist efficient (NIZK) protocols (in the ROM) for proving knowledge of a signature without revealing it.

3 / 13

Idea and Construction

Idea: Combine Observation 1 & Observation 2

4 / 13

Idea and Construction

Idea: Combine Observation 1 & Observation 2

Construct signatures that can be interpreted as the combination of several CL signatures. Perhaps the decisive properties of the CL scheme can still be found in the new construction!

4 / 13

Idea and Construction

Idea: Combine Observation 1 & Observation 2

Construct signatures that can be interpreted as the combination of several CL signatures. Perhaps the decisive properties of the CL scheme can still be found in the new construction!

Technique:

4 / 13

Idea and Construction

Idea: Combine Observation 1 & Observation 2

Construct signatures that can be interpreted as the combination of several CL signatures. Perhaps the decisive properties of the CL scheme can still be found in the new construction!

Technique:

Starting point CL scheme: CL proof considers three types of forgery.

4 / 13

Idea and Construction

Idea: Combine Observation 1 & Observation 2

Construct signatures that can be interpreted as the combination of several CL signatures. Perhaps the decisive properties of the CL scheme can still be found in the new construction!

Technique:

Starting point CL scheme: CL proof considers three types of forgery. Key observation: two of these forgeries already reduce security to the RSA assumption.

4 / 13

Idea and Construction

Idea: Combine Observation 1 & Observation 2

Construct signatures that can be interpreted as the combination of several CL signatures. Perhaps the decisive properties of the CL scheme can still be found in the new construction!

Technique:

Starting point CL scheme: CL proof considers three types of forgery. Key observation: two of these forgeries already reduce security to the RSA assumption. Remaining type of forgery can be dealt with using the new proving techniques of HW.

4 / 13

Idea and Construction

Idea: Combine Observation 1 & Observation 2

Construct signatures that can be interpreted as the combination of several CL signatures. Perhaps the decisive properties of the CL scheme can still be found in the new construction!

Technique:

Starting point CL scheme: CL proof considers three types of forgery. Key observation: two of these forgeries already reduce security to the RSA assumption. Remaining type of forgery can be dealt with using the new proving techniques of HW. In particular: integrate that for a string X all prefixes of X are processed as well.

4 / 13

Idea and Construction

Idea: Combine Observation 1 & Observation 2

Construct signatures that can be interpreted as the combination of several CL signatures. Perhaps the decisive properties of the CL scheme can still be found in the new construction!

Technique:

Starting point CL scheme: CL proof considers three types of forgery. Key observation: two of these forgeries already reduce security to the RSA assumption. Remaining type of forgery can be dealt with using the new proving techniques of HW. In particular: integrate that for a string X all prefixes of X are processed as well. Modified scheme still allows to reduce the first two forgeries to the RSA assumption (although the proof is slightly more complicated).

4 / 13

Contribution: New Signature Scheme with Useful Properties for Anonymity Preserving Systems

Advantages Disadvantages

5 / 13

Contribution: New Signature Scheme with Useful Properties for Anonymity Preserving Systems

Advantages

New scheme supports signing several message blocks

Disadvantages

5 / 13

Contribution: New Signature Scheme with Useful Properties for Anonymity Preserving Systems

Advantages

New scheme supports signing several message blocks New scheme allows to sign commited values

Disadvantages

5 / 13

Contribution: New Signature Scheme with Useful Properties for Anonymity Preserving Systems

Advantages

New scheme supports signing several message blocks New scheme allows to sign commited values Proof technique can be transferred to Cramer-Shoup, Fischlin and Zhou signature scheme ⇒ Several new RSA-based signature schemes!

Disadvantages

5 / 13

Contribution: New Signature Scheme with Useful Properties for Anonymity Preserving Systems

Advantages

New scheme supports signing several message blocks New scheme allows to sign commited values Proof technique can be transferred to Cramer-Shoup, Fischlin and Zhou signature scheme ⇒ Several new RSA-based signature schemes!

Disadvantages

Signatures are larger than in HW (by just a single exponent)

5 / 13

Contribution: New Signature Scheme with Useful Properties for Anonymity Preserving Systems

Advantages

New scheme supports signing several message blocks New scheme allows to sign commited values Proof technique can be transferred to Cramer-Shoup, Fischlin and Zhou signature scheme ⇒ Several new RSA-based signature schemes!

Disadvantages

Signatures are larger than in HW (by just a single exponent) Signature generation and verification take more time

5 / 13

Contribution: New Signature Scheme with Useful Properties for Anonymity Preserving Systems

Advantages

New scheme supports signing several message blocks New scheme allows to sign commited values Proof technique can be transferred to Cramer-Shoup, Fischlin and Zhou signature scheme ⇒ Several new RSA-based signature schemes!

Disadvantages

Signatures are larger than in HW (by just a single exponent) Signature generation and verification take more time Until now: No efficient (NIZK) protocols for proving knowledge of a signature without revealing it. – Future Work!

5 / 13

Related Work

RSA-based signature schemes in the standard model

6 / 13

Related Work

RSA-based signature schemes in the standard model

Tree-based signature schemes (Dwork-Noar CRYPTO’94 and more efficient Cramer-Damgard CRYPTO’96)

6 / 13

Related Work

RSA-based signature schemes in the standard model

Tree-based signature schemes (Dwork-Noar CRYPTO’94 and more efficient Cramer-Damgard CRYPTO’96) Stateful signature scheme (Hohenberger-Waters EC’09)

6 / 13

Related Work

RSA-based signature schemes in the standard model

Tree-based signature schemes (Dwork-Noar CRYPTO’94 and more efficient Cramer-Damgard CRYPTO’96) Stateful signature scheme (Hohenberger-Waters EC’09) HW (CRYPTO’09)

6 / 13

Related Work

RSA-based signature schemes in the standard model

Tree-based signature schemes (Dwork-Noar CRYPTO’94 and more efficient Cramer-Damgard CRYPTO’96) Stateful signature scheme (Hohenberger-Waters EC’09) HW (CRYPTO’09)

RSA-like (i.e. SRSA-based) hash-and-sign signature schemes in the standard model

6 / 13

Related Work

RSA-based signature schemes in the standard model

Tree-based signature schemes (Dwork-Noar CRYPTO’94 and more efficient Cramer-Damgard CRYPTO’96) Stateful signature scheme (Hohenberger-Waters EC’09) HW (CRYPTO’09)

RSA-like (i.e. SRSA-based) hash-and-sign signature schemes in the standard model

Gennaro-Halevi-Rabin (EC’99)

6 / 13

Related Work

RSA-based signature schemes in the standard model

Tree-based signature schemes (Dwork-Noar CRYPTO’94 and more efficient Cramer-Damgard CRYPTO’96) Stateful signature scheme (Hohenberger-Waters EC’09) HW (CRYPTO’09)

RSA-like (i.e. SRSA-based) hash-and-sign signature schemes in the standard model

Gennaro-Halevi-Rabin (EC’99) Cramer-Shoup (ACM Trans. Inf. Syst. Sec.’00)

6 / 13

Related Work

RSA-based signature schemes in the standard model

Tree-based signature schemes (Dwork-Noar CRYPTO’94 and more efficient Cramer-Damgard CRYPTO’96) Stateful signature scheme (Hohenberger-Waters EC’09) HW (CRYPTO’09)

RSA-like (i.e. SRSA-based) hash-and-sign signature schemes in the standard model

Gennaro-Halevi-Rabin (EC’99) Cramer-Shoup (ACM Trans. Inf. Syst. Sec.’00) Zhou (Chin. Journ. of Elec.’01), Camenisch-Lysyankaya (SCN’02), Fischlin (PKC’03),

6 / 13

Complexity Assumption

Definition (RSA assumption (RSA) ) Given an RSA modulus n = pq, where p, q are sufficiently large primes, a prime α < φ(n) with gcd(α, φ(n)) = 1, and an element u ∈ Z∗

n, we

say that the (tRSA, ǫRSA)-RSA assumption holds if for all tRSA-time adversaries A Pr [(x) ← A(n, u, α), x ∈ Z∗

n, xα = u mod n] ≤ ǫRSA,

where the probability is over the random choices of u, n, α and the random coins of A.

7 / 13

Prime Mapping Function t(X)

Very similar to HW except that prime mapping function may not be compressive!

8 / 13

Prime Mapping Function t(X)

Very similar to HW except that prime mapping function may not be compressive! Ingredients:

8 / 13

Prime Mapping Function t(X)

Very similar to HW except that prime mapping function may not be compressive! Ingredients:

pseudo-random permutation fk : {0, 1}lX → {0, 1}lX with key k.

8 / 13

Prime Mapping Function t(X)

Very similar to HW except that prime mapping function may not be compressive! Ingredients:

pseudo-random permutation fk : {0, 1}lX → {0, 1}lX with key k. random value s ∈R {0, 1}lX.

8 / 13

Prime Mapping Function t(X)

Very similar to HW except that prime mapping function may not be compressive! Ingredients:

pseudo-random permutation fk : {0, 1}lX → {0, 1}lX with key k. random value s ∈R {0, 1}lX.

Prime mapping function t: t(X) := nextprime(s ⊕ fk(X))

8 / 13

Prime Mapping Function t(X)

Very similar to HW except that prime mapping function may not be compressive! Ingredients:

pseudo-random permutation fk : {0, 1}lX → {0, 1}lX with key k. random value s ∈R {0, 1}lX.

Prime mapping function t: t(X) := nextprime(s ⊕ fk(X)) Let X ∈ {0, 1}lX and define X(i) := 0lX−ix1 . . . xi ∈ {0, 1}lX for all i ∈ [lX]. (Prefix of X that consists of the first i bits). For convenience: T(X) :=

lX

• i=1

t(X(i))

8 / 13

Prime Mapping Function t(X)

Very similar to HW except that prime mapping function may not be compressive! Ingredients:

pseudo-random permutation fk : {0, 1}lX → {0, 1}lX with key k. random value s ∈R {0, 1}lX.

Prime mapping function t: t(X) := nextprime(s ⊕ fk(X)) Let X ∈ {0, 1}lX and define X(i) := 0lX−ix1 . . . xi ∈ {0, 1}lX for all i ∈ [lX]. (Prefix of X that consists of the first i bits). For convenience: T(X) :=

lX

• i=1

t(X(i)) Lemma[HW]: Given q = q(κ) distinct input values, the probability that t(X) collides is negligible.

8 / 13

A New RSA-Based Signature Scheme S (slightly simplified)

Gen(1κ): computes a balanced and safe RSA modulus n = pq and three random generators e, f, g of QRn. Additionally, it draws k ∈R K and s ∈R {0, 1}lX. PK = (n, e, f, g, k, s), SK = (p, q).

9 / 13

A New RSA-Based Signature Scheme S (slightly simplified)

Gen(1κ): computes a balanced and safe RSA modulus n = pq and three random generators e, f, g of QRn. Additionally, it draws k ∈R K and s ∈R {0, 1}lX. PK = (n, e, f, g, k, s), SK = (p, q). Sign(SK, m): chooses r ∈R {0, 1}lr and X ∈R {0, 1}lX: z = (efmgr)1/T(X) mod n. The final signature is σ = (z, X, r)

9 / 13

A New RSA-Based Signature Scheme S (slightly simplified)

Gen(1κ): computes a balanced and safe RSA modulus n = pq and three random generators e, f, g of QRn. Additionally, it draws k ∈R K and s ∈R {0, 1}lX. PK = (n, e, f, g, k, s), SK = (p, q). Sign(SK, m): chooses r ∈R {0, 1}lr and X ∈R {0, 1}lX: z = (efmgr)1/T(X) mod n. The final signature is σ = (z, X, r) Verify(PK, m, σ): checks if it holds for (z, X, r) that zT(X) ? = efmgr mod n.

9 / 13

Security

Theorem Assume the (tRSA, ǫRSA)-RSA assumption holds. Then, S is (q, t, ǫ)-secure against adaptive chosen message attacks provided that q = qRSA, t ≈ tRSA, ǫ ≤ 9qlXǫRSA/2 + negl(κ).

10 / 13

Signing Message Blocks

Gen(1κ): is the same as in our main RSA scheme except that it now chooses u + 2 generators e, f1, . . . , fu, g of QRn. Sign(SK, m1, . . . , mu, ): to sign a message the signer draws random values r ∈ {0, 1}lr and X ∈ {0, 1}lX. Next, it computes z =

• egr

u

• i=1

fmi

i

1/T(X) mod n. The final signature is σ = (z, X, r) Verify(PK, m1, . . . , mu, σ): to verify a signature (z, X, r) the verifier checks whether zT(X) ? = egr

u

• i=1

fmi

i

mod n.

11 / 13

Protocol for Signing Commited Values

Interactive ZK protocol between signer s and user u.

12 / 13

Protocol for Signing Commited Values

Interactive ZK protocol between signer s and user u. Very similar to protocol for CL.

12 / 13

Protocol for Signing Commited Values

Interactive ZK protocol between signer s and user u. Very similar to protocol for CL. Idea: if u successfully proves knowledge of a commited value m, then s processes the corresponding commitment such that the result is a signature on m.

12 / 13

The End

Thank you for your attention. Any questions?

13 / 13